Lurking "spyware" may be a security weak spot

One in twenty computers with an internet connection may be harbouring unwanted "spyware" programs that can record a user's computer use, generate nuisance pop-up ads and may pose a security risk, suggests a US study.

So-called spyware normally piggybacks on to a computer with other "free" programs, such as some music or file-sharing software. Users may install these additional programs, which remain hidden, without realising, even though they are mentioned somewhere in the terms of agreement that appear on screen during installation.

Spyware may record a user's keystrokes or web browsing activity for market-research purposes. Or it may cause pop-up adverts to appear when a user is browsing the web. Some programs may even alter browser settings to redirect to a particular search engine. Many are difficult to remove without special software tools.

Computer scientists at the University of Washington in Seattle developed software to analyse network traffic and identify chunks of data associated with four known "spyware" programs - Gator, Cydoor, SaveNow and eZula.

They examined the traffic on the university campus and found that 5.1 per cent of all connected machines had one of these four programs running. And, within the university, 69 per cent of all departments and offices contained at least one computer running the programs. The team examined a total of 31,303 computers connected to the network.

Wider problem

"Spyware is a real problem that is already affecting a significant portion of the population," says Steven Gribble, who carried out the study with colleagues Stefan Saroiu and Henry Levy. "Our guess is that if anything, the study underestimates the extent of spyware relative to the wider internet."

Gribble says this is because the university's computer users are more technically aware than the average internet user and so are generally less likely to install spyware unknowingly. He also notes that there are many more spyware programs in circulation than the four in the study.

But spyware programs could be more than just an annoyance, the researchers warn. They discovered a simple way of using two of the programs they examined - Gator and eZula - to run unauthorised code on a computer.

The team could hack into computers running these programs by using specially crafted network packets to fool the spyware into thinking it was receiving a legitimate software update. This technique could be used to take complete control of a computer.

Low visibility

Although both of these programs have been repaired to prevent the attack occurring, the researchers say other vulnerabilities in such programs are likely to be found. "Once these kinds of vulnerabilities become known, we think people will exploit them," Gribble told New Scientist.

"The danger is that the lack of visibility of this kind of software will mean alerts about vulnerabilities either don't get generated, or people won't pay attention to them."

One solution may be proposed US legislation that aims to bring spyware under greater regulatory control. The SPYBLOCK Act would require all software to provide users with more information about the functions carried out by the programs they are installing.

But Gribble and his colleagues believe legislation may not provide a complete solution. They also suggest educating users as well as using network tools to remotely scan for computers running spyware. "It is possible to construct network signatures that identify known variants of spyware," Gribble says. "We do expect that companies can and should use tools to scan their networks."

If you would like to reuse any content from New Scientist, either in print or online, please contact the syndication department first for permission. New Scientist does not own rights to photos, but there are a variety of licensing options available for use of articles and graphics we own the copyright to.